A Hacker Stole $20 Million from a Wallet Likely Controlled by the US Government

Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

Are you interested in sponsoring Metacurity? Email info [at] Metacurity.com with the subject line "Sponsorship."

According to on-chain analytics firm Arkham Intelligence, on October 24, a hacker compromised a wallet containing funds seized from the 2016 Bitfinex hack that the United States government likely controlled, draining it of $20 million.

The attacker sent the funds to a wallet beginning with “0x348,” which included USD Coin, Tether, aUSDC, and Ether.

Arkham said the hacker has started converting the stablecoins into ETH and laundering the funds through addresses likely associated with a money-laundering service.

The attacker exploited funds seized by the US government in the 2016 Bitfinex hack, whose perpetrators, Ilya Lichtenstein and his wife Heather Morgan, face sentencing in November.

Lichtenstein hacked the Bitfinex exchange in 2016 and stole 120,000 Bitcoin valued at about $8.2 billion at current market prices. US authorities arrested the pair in 2022.

Law enforcement officials seized the stolen crypto assets, which was the largest digital asset seizure by the United States Department of Justice at the time.

In a July 2023 plea agreement with prosecutors, the couple pleaded guilty to charges of money laundering and conspiracy to defraud the US government in exchange for lighter sentencing. At first, Lichtenstein admitted to laundering the funds but later revealed himself as the hacker. (Vince Quill / Cointelegraph)

Related: Unchained, Cryptobriefing, BeInCrypto, CCN, crypto.news, The Crypto Times, CoinMarketCap, Decrypt, The Crypto Basic, The Crypto Potato, Bitcoin.com, Web3IsGoingJustGreat

President Biden signed the first national security memorandum detailing how the Pentagon, the intelligence agencies, and other national security institutions should use and protect artificial intelligence technology, placing“guardrails” on how such tools are employed in decisions ranging from nuclear weapons to granting asylum.

However, most of the deadlines the order sets for agencies to conduct studies on applying or regulating the tools will go into full effect after Mr. Biden leaves office, leaving open the question of whether the next administration will abide by them. While most national security memorandums are adopted or amended on the margins by successive presidents, it is unclear how Donald J. Trump would approach the issue if elected next month.

“Our government took an early and critical role in shaping developments — from nuclear physics and space exploration to personal computing and the internet,” Jake Sullivan, the national security adviser who prompted many of the efforts to examine the uses and threats of the new tools, said. “That’s not been the case with most of the A.I. revolution. While the Department of Defense and other agencies funded a large share of A.I. work in the 20th century, the private sector has propelled much of the last decade of progress.”

However, Biden's aides have said that the absence of guidelines about how A.I. can be used by the Pentagon, the C.I.A., or even the Justice Department has impeded development, as companies worried about what applications could be legal.

“A.I., if used appropriately and for its intended purposes, can offer great benefits,” the new memorandum concluded. “If misused, A.I. could threaten United States national security, bolster authoritarianism worldwide, undermine democratic institutions and processes, facilitate human rights abuses.”

Such conclusions have become commonplace warnings now. But they are a reminder of how much more difficult it will be to set rules of the road for artificial intelligence than it was to create, say, arms control agreements in the nuclear age. Like cyberweapons, A.I. tools cannot be counted or inventoried, and everyday uses can, as the memorandum makes clear, go awry “even without malicious intent.” (David Sanger / New York Times)

Related: White House, The White House, The White House, Tech Policy Press, Engadget, Washington Post, Bloomberg, Default, OpenAI, UPI, The Economic Times, Politico, SiliconANGLE, CSET, Computerworld, Associated Press, GovExec.com, Neowin, Wccftech, Breaking Defense, Tech in Asia, The White House, DefenseScoop, HealthcareInfoSecurity.com, Financial Times, Nextgov/FCW, Al Jazeera, Reuters, Semafor, Axios, The Hill, Industrial Cyber

UnitedHealth has confirmed for the first time that over 100 million people had their personal information and healthcare data stolen in the Change Healthcare ransomware attack, marking this as the largest healthcare data breach in recent years.

In May, UnitedHealth CEO Andrew Witty warned during a congressional hearing that "maybe a third" of all American's health data was exposed in the attack.

A month later, Change Healthcare published a data breach notification warning that the February ransomware attack on Change Healthcare exposed a "substantial quantity of data" for a "substantial proportion of people in America."

The US Department of Health and Human Services Office for Civil Rights data breach portal updated the total number of impacted people to 100 million, marking the first time UnitedHealth, the parent company of Change Healthcare, has officially numbered the breach.

Since June, data breach notifications sent by Change Healthcare state that a massive amount of sensitive information was stolen during the February ransomware attack. (Lawrence Abrams / Bleeping Computer)

Related: US Department of Health and Human Services
Office for Civil Rights, HHS, Reuters, Silicon Republic, TechCrunch, Digital Trends, Hacker News (ycombinator), HealthExec, TechCrunch, Daily Mail

Healthcare solutions provider Henry Schein finally disclosed a data breach following at least two back-to-back cyberattacks in 2023 by the BlackCat Ransomware gang, revealing that over 160,000 people had their personal information stolen.

The ransomware gang claimed to have encrypted Henry Schein's network a second time after negotiations failed and threatened to encrypt it a third time if a ransom was not paid.

While it is unknown if the threat actors followed through with another attack, they released some of the data stolen from Henry Schein on their data leak site.

In a filing with the Maine Attorney General, Schein confirmed that the ransomware gang stole the personal data of 166,432 people during these attacks. (Lawrence Abrams / Bleeping Computer)

Related: Maine Attorney General, Business Wire, Cybernews

Insurance administrative services company Landmark Admin warns that a data breach impacts over 800,000 people from a May cyberattack.

Landmark says it detected suspicious activity on May 13th, 2024, which caused the company to shut down IT systems and remote access to its network to prevent the attack from spreading.

Landmark engaged with a third-party cybersecurity company to remediate the incident and investigate whether data was stolen in the attack.

During this investigation, Landmark says it found evidence that the threat actor accessed files containing the personal information of 806,519 people during the attack.

Landmark says the investigation is ongoing and will notify affected individuals if more information becomes available. Due to the sensitive nature of the stolen data, impacted people should monitor their credit reports and bank accounts for suspicious activity.

No threat actors have claimed responsibility for the attack, so whether it was ransomware or a data theft attack is unknown. (Lawrence Abrams / Bleeping Computer)

Related: Maine Attorney General, JD Supra, The Record, Tom's Guide

Ukraine's military, lawmakers, and experts have discussed the creation of Cyber Forces as a separate branch of the Armed Forces.

The discussion occurred during a meeting attended by representatives of the Defense Forces, members of the Verkhovna Rada Committee on National Security, Defense, and Intelligence, and experts. Anatoliy Barhylevych, the Chief of the General Staff of the Armed Forces of Ukraine, chaired the meeting.

Participants reviewed the main provisions of the draft concept for the creation of Cyber Forces, taking into account the experience of implementing and operating this type of force in leading countries worldwide.

The General Staff noted that the creation of Cyber Forces will "significantly enhance" the capabilities of the Ukrainian military, ensuring effective planning and implementation of the full spectrum of tasks in the cyber domain, which is recognized as a separate operational domain alongside land, sea, air, and space. (Artem Dzheripa / Liga.net)

Related: Espreso, Mil.in.ua

Sen. Mark Warner (D-VA) sent letters to six CEOs of the largest internet domain companies, questioning their role in recently uncovered disinformation campaigns tied to the Russian government. 

Warner sent letters to the leaders of Cloudflare, GoDaddy, NameCheap, NameSilo, Newfold, and Verisign, asking each to take steps to examine the ways they have “ostensibly facilitated sustained covert influence activity by the Russian Federation and influence networks operating on its behalf.”

“In particular, recent disruption actions by the Department of Justice indicate that your company has provided domain registration services to the Russian covert influence network known as ‘Doppelganger,’” Warner said. 

In September, the Justice Department uncovered a vast network of websites, some of which mimic well-known sites like the Washington Post and Fox News, that the Russian government uses to spread propaganda and narratives designed to cause chaos and confusion. 

The companies running the disinformation sites are allegedly operating under the direction of Sergei Kiriyenko, the first deputy chief of staff to Russian President Vladimir Putin, and other members of the president’s office.

Warner said that with the presidential election becoming a close race, Americans must have websites they can reliably turn to for accurate information. (Jonathan Greig / The Record)

Related: Senator Mark Warner, CircleID

The US Consumer Financial Protection Bureau (CFPB)  warned businesses about potential legal problems from using new technology such as artificial intelligence or algorithmic scores to snoop on and evaluate their employees, saying “invasive” new tools to monitor workers are governed by a law designed to ensure fairness in credit reporting, giving employees specific rights.

The CFPB said employees have the right to consent to collecting personal information and to dispute inaccurate information.

The new guidance focuses on third-party tools that can be used in decisions to punish or even fire workers over their workplace conduct. Various vendors offer AI-powered tools to monitor employee conduct based on customer complaints and track productivity. Some tools can be used to assess the likelihood that workers might help organize a union, probe employee social-media activity, or estimate the probability that a worker might leave the job, the CFPB said.

The Fair Credit Reporting Act, which became law in 1970 to ensure fairness in the information collected by consumer reporting agencies, applies to some company background checks. The most recent guidance is intended to clarify that the protections in that law also apply to newer tools. (Richard Vanderford / Wall Street Journal)

Related: CSFB, The Record

Apple made its Private Cloud Compute Virtual Research Environment (VRE) and other materials publicly available to all security researchers.

Apple has a Private Cloud Compute (PCC) Security Guide that details all of PCC's components and how they work to provide privacy for cloud-based AI processing. Apple released the source code for select PCC components that help implement its security and privacy requirements, which allows for a deeper dive into PCC.

The Virtual Research Environment is a set of tools that lets researchers perform their security analysis on PCC using a Mac. The VRE can be used to inspect PCC software releases, verify the consistency of the transparency log, boot a release in a virtualized environment, and modify and debug PCC software for deeper investigation. It can be accessed in the macOS 18.1 Developer Preview and used with a Mac that has an Apple silicon chip and 16GB+ unified memory.

Along with these tools, Apple is expanding its Apple Security Bounty to include rewards for vulnerabilities that demonstrate a compromise of the fundamental privacy and security guarantees of Private Cloud Compute. Security researchers who locate a vulnerability can earn up to $1 million. (Juli Clover / MacRumors)

Related: Apple Security Research, Apple, BleepingComputer, The Verge, PCMag, TechCrunch, AppleInsider, 9to5Mac, SecurityWeek, Apple on GitHub, Absolute Geeks

Amazon Web Services has fixed a flaw in its open-source Cloud Development Kit that, under the right conditions, could allow an attacker to hijack a user's account completely.

The Cloud Development Kit (CDK) is an open-source framework developed by AWS that allows developers to define cloud application infrastructure as code using programming languages such as Python, TypeScript, JavaScript, Go, and others and then provision these resources through AWS CloudFormation.

Bug hunters at Aqua spotted the CDK issue on June 27, according to the firm's security researchers, Ofek Itach and Yakir Kadkoda. About two weeks later, the cloud giant patched the flaw with CDK version v2.149.0.

The security problem is related to an earlier attack method dubbed "Bucket Monopoly," in which criminals could predict AWS S3 bucket names, pre-load malicious code into a bucket, and then sit back and wait for the target org to execute it unwittingly.

Once that happened, the attackers could steal data or even take over a user's account without their knowledge.

The newer issue also involves these S3 buckets, the predictable nature of their names, and attackers abusing this predictability via S3 Bucket Namesquatting. (Jessica Lyons / The Register)

Related: Aqua Security, Dark Reading, TechTarget, TechRadar

White House National Cyber Director Harry Coker Jr. said new guidance issued to federal agencies would require adopting the traffic light protocol (TLP) when handling information disclosures.

TLP is a three-tiered system in which different color codes define the level of disclosure a researcher wants the recipient to provide. A red report means the information is strictly confidential, while a yellow level allows outside parties to receive details on a need-to-know basis. A green report allows for community sharing, and clear means full public disclosure.

Coker said the idea is to allow researchers to control the information they share with federal agencies. This, in turn, allows the researcher to share data with the government ahead of time to secure critical systems and infrastructure while still being able to coordinate a public disclosure with the vendor or a bug bounty portal. (Shaun Nichols / SC Media)

Related: White House, White House

During Day Three of Pwn2Own Ireland, white hat hackers exposed 11 zero-day vulnerabilities, adding $124,750 to the total prize pool, which now stands at $874,875.

The day was successful for Ha The Long and Ha Anh Hoang from Viettel Cyber Security, who exploited the QNAP TS-464 NAS using a single command injection vulnerability. This successful attack earned them $10,000 and 4 Master of Pwn points.

Pumpkin Chang and Orange Tsai from the DEVCORE Research Team combined three exploits—a CRLF injection, an authentication bypass, and an SQL injection—to take control of the Synology BeeStation. Their complex exploit rewarded them with $20,000 and 4 points.

PHP Hooligans / Midnight Blue used an out-of-bounds write and a memory corruption bug to perform a "SOHO Smashup." They managed to go from the QNAP QHora-322 router to a Lexmark printer, ultimately printing their own "banknotes," earning the team $25,000 and 10 Master of Pwn points.

Later in the day, Viettel Cyber Security delivered another success, exploiting the Lexmark CX331adwe printer using a type confusion vulnerability, adding $20,000 and 2 more points to their tally. (Bill Toulas / Bleeping Computer)

Related: Zero Day Initiative

Concentric AI, which makes intelligent AI-based solutions for autonomous data security posture management (DSPM), announced it had raised $45M in a Series B venture funding round.

Top Tier Capital Partners and HarbourVest Partners led the round with the participation of CyberFuture and existing investors  Ballistic Ventures, Engineering Capital, Clear Ventures, and Citi Venture. (Kyle Wiggers / TechCrunch)

Related: Business Wire, FinSMEs, Concentric AI

Identity verification service Socure has agreed to acquire the fraud prevention platform Effectiv for $136 million in cash and equity.

 By acquiring closely-held Effectiv, Socure is seeking to become a one-stop fraud prevention shop for enterprise customers. (Emily Mason / Bloomberg)

Related: Socure, Biometric Update, FinSMEs

Best Thing of the Day: No Stinking Ransomware Attack Will Stop Voting

Despite a ransomware attack that forced the Jefferson County Clerk's Office in Kentucky to shutter three months ago, in-person excused absentee voting is underway, and it looks like all systems are functional ahead of election day.

Worst Thing of the Day: Just When You Think He Couldn't Be More Reprehensible

Elon Musk has been in regular contact with Russian President Vladimir Putin since late 2022, with Putin even asking the world's richest man to avoid activating his Starlink satellite internet service over Taiwan as a favor to Chinese leader Xi Jinping.

Closing Thought